I have a problem with an alert removed without a user's action.
When I join the Splunk logs...
splunk_server = "XXX" index=_audit host=YourHostName action=alert_deleted
...I do not see deletion events which may have occurred? Is this some action of the system? How can I identify the cause of the deletion of the alert?